Audit: MN Not Adequately Protecting Students' Personal Info

Updated: 08/30/2013 7:32 AM KSTP.com By: Stephen Tellier



There are security concerns over names, addresses, test scores and more -- the personal information of every public school student in Minnesota. On Thursday, auditors told 5 EYEWITNESS NEWS the state is not doing enough to make sure your child's information stays private.
 
There is no evidence that any student's personal information has been compromised. But auditors said the potential is there, and they're concerned a breach could occur before the problems are fixed.
 
"When the parents provided that information, they had a right to expect that it was going to be protected better than this," said Cecile Ferkul, deputy legislative auditor with the Office of the Legislative Auditor.
 
Ferkul supervised the audit, which found, "The security controls for one of the Department of Education's most important operating systems were not adequate to protect not public information." That includes the personal information of thousands of Minnesota students and teachers.
 
"The potential is there that somebody could access that data and use it for other purposes, unauthorized purposes," Ferkul said.
 
Christopher Buse is the state's chief information security officer with MN.IT Services. His job is to work with the Department of Education to protect that information.
 
When asked, "Is student and teacher data that is not public data as secure as it could be right now?" Buse replied, "I guess the answer to that is, everything could always be more secure."
 
In a written response to the audit, state officials wrote they, "recognize that gaps do exist, particularly with our older systems." The operating system in question is older. It's slated to be swapped out for a newer, more secure model -- but not for another year or two.
 
In the meantime, the Department of Education said in its response to the audit, "We will work with MN.IT Services to determine what control improvements can be implemented without significant system renovations and/or costs."
 
"The question really is not, 'Is it as secure as it could be?' but, 'Is it as secure as it should be, based on the appropriate risk that we see?'" Buse said.
 
Buse said it is, but also promises to fix the issues identified by the audit within weeks.
 
The Department of Education told us no one was available to speak with us on camera on Thursday. But in an email, a spokesman wrote, "We take the security of student information very seriously, and will be vigilant in working with our partners at MN.IT to ensure that nonpublic data are appropriately safeguarded and secure."
 
The state has also agreed to draw up a plan of action by October 15, which will lay out specific milestones and timelines for improvements.